US10289405B2ActiveUtilityA1

Integrity assurance and rebootless updating during runtime

57
Assignee: CROWDSTRIKE INCPriority: Mar 20, 2014Filed: Mar 20, 2014Granted: May 14, 2019
Est. expiryMar 20, 2034(~7.7 yrs left)· nominal 20-yr term from priority
G06F 21/52G06F 21/566G06F 8/656G06F 21/568H04L 67/34
57
PatentIndex Score
0
Cited by
186
References
22
Claims

Abstract

Techniques are described herein for, without rebooting a computing device, unloading at least a component of a kernel-mode component of the computing device and loading an updated version of the component of the kernel-mode component. The techniques may be performed by an integrity manager associated with the kernel-mode component. The integrity manager may also determine integrity of the kernel-mode component by causing the kernel-mode component to perform an action associated with a known reaction, determining whether the known reaction occurred, and in response, performing a remediation action or notifying a remote security service. Further, the integrity manager may determine whether any computing device lists include representations of components or connections associated with the kernel-mode component. The integrity manager may then remove the representations from the lists or remove the representations from responses to requests for contents of the computing device lists.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method comprising:
 registering, by an integrity manager associated with a kernel-mode component of a computing device, one or more hooks with an operating system of the computing device on behalf of the kernel-mode component; 
 receiving, by the integrity manager, a request associated with an update to the kernel-mode component of the computing device; and 
 without rebooting the computing device,
 initiating, by the integrity manager, unloading of at least one component of the kernel-mode component, 
 following the unloading, logging, by the integrity manager, one or more events associated with the one or more hooks on the computing device, 
 following the logging, initiating, by the integrity manager, loading of an updated version of that at least one component of the kernel-mode component, and 
 following the loading, delivering, by the integrity manager, the logged events to the updated kernel-mode component. 
 
 
     
     
       2. The method of  claim 1 , further comprising:
 determining, by the integrity manager, that the integrity manager is to be updated; and 
 rebooting, by the integrity manager, the computing device. 
 
     
     
       3. The method of  claim 1 , wherein the registering of the one or more hooks or use of an operating system-provided veto mechanism enables the integrity manager to force registry reads to occur or network packets to be sent regardless of whether another component attempts to block the registry reads or network packets. 
     
     
       4. The method of  claim 1 , further comprising:
 receiving, by the integrity manager, a request to spawn a thread on behalf of the kernel-mode component; and 
 providing, by the integrity manager, a result of the thread to the kernel-mode component. 
 
     
     
       5. The method of  claim 1 , wherein the integrity manager may utilize an operating-system provided veto mechanism to force one or more actions. 
     
     
       6. The method of  claim 1 , further comprising maintaining a state of a state manager of the kernel-mode component. 
     
     
       7. The method of  claim 6 , wherein the state manager maintains handles, registry keys, memory allocations for the kernel-mode component, and other volatile data associated with the kernel-mode component. 
     
     
       8. The method of  claim 7 , further comprising, following the loading, initializing the updated kernel-mode component with the state of the state manager. 
     
     
       9. The method of  claim 1 , wherein the kernel-mode component transmits the request to the integrity manager after receiving the update. 
     
     
       10. The method of  claim 1 , wherein initiating the unloading comprises requesting an operating system of the computing device to unload the at least one component of the kernel-mode component and initiating the loading comprises invoking an operating system load function to load the updated version of that at least one component of the kernel-mode component. 
     
     
       11. The method of  claim 1 , further comprising determining that the loading has failed and, in response, initiating reloading of the unloaded version of that at least one component of the kernel-mode component. 
     
     
       12. A computing device comprising:
 a processor; and 
 a memory communicatively coupled to the processor and storing a kernel-mode component and an integrity manager associated with the kernel-mode component, 
 wherein the integrity manager is configured to be operated by the processor to perform operations including:
 registering one or more hooks with an operating system of the computing device on behalf of the kernel-mode component; 
 receiving a request associated with an update to the kernel-mode component; and 
 without rebooting the computing device,
 initiating unloading of at least one component of the kernel-mode component, 
 following the unloading, logging one or more events associated with the one or more hooks on the computing device, 
 following the logging, initiating loading of an updated version of that at least one component of the kernel-mode component, and 
 following the loading, delivering the logged events to the updated kernel-mode component. 
 
 
 
     
     
       13. The computing device of  claim 12 , wherein the operations further include:
 determining that the integrity manager is to be updated; and 
 rebooting the computing device. 
 
     
     
       14. The computing device of  claim 12 , wherein the operations further include:
 receiving a request to spawn a thread on behalf of the kernel-mode component; and 
 providing a result of the thread to the kernel-mode component. 
 
     
     
       15. The computing device of  claim 12 , wherein the integrity manager may utilize an operating-system provided veto mechanism to force one or more actions. 
     
     
       16. The computing device of  claim 12 , wherein the operations further include maintaining a state of a state manager of the kernel-mode component. 
     
     
       17. The computing device of  claim 16 , wherein the operations further include, following the loading, initializing the updated kernel-mode component with the state of the state manager. 
     
     
       18. A non-transitory computer-readable medium having stored thereon an integrity manager associated with a kernel-mode component, wherein the integrity manager, when executed by a computing device, causes the computing device to perform operations comprising:
 registering one or more hooks with an operating system of the computing device on behalf of the kernel-mode component; 
 receiving a request associated with an update to the kernel-mode component; and 
 without rebooting the computing device,
 initiating unloading of at least one component of the kernel-mode component, 
 following the unloading, logging one or more events associated with the one or more hooks on the computing device, 
 following the logging, initiating loading of an updated version of that at least one component of the kernel-mode component, and 
 following the loading, delivering the logged events to the updated kernel-mode component. 
 
 
     
     
       19. The non-transitory computer-readable medium of  claim 18 , wherein the operations further include:
 maintaining a state of a state manager of the kernel-mode component; and 
 following the loading, initializing the updated kernel-mode component with the state of the state manager. 
 
     
     
       20. The non-transitory computer-readable medium of  claim 18 , wherein the operations further include:
 determining that the integrity manager is to be updated; and 
 rebooting the computing device. 
 
     
     
       21. The non-transitory computer-readable medium of  claim 18 , wherein the operations further include:
 receiving a request to spawn a thread on behalf of the kernel-mode component; and 
 providing a result of the thread to the kernel-mode component. 
 
     
     
       22. The non-transitory computer-readable medium of  claim 18 , wherein the integrity manager may utilize an operating-system provided veto mechanism to force one or more actions.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.